Answered: Your Most Burning Questions About Planning And Operationalizing MITRE ATT&CK

Hey There, 

Recently we ran a webinar ( English | German | French) in which we showed how Security Operations Teams can plan based on the MITRE ATT&CK Navigator, a threat-centric defense strategy. We also demonstrated how to operationalize it with content from the Splunk Security Essentials app via Splunk Enterprise Security. 

We received so many questions from attendees during the session that we weren’t able answer them all. That’s why I wanted to take the time to re-share the poll results we conducted during the webinar as well as questions raised by Security Analysts, SOC Managers and Head of Securities during the session. 

Poll Results

We asked two poll questions about the adoption and operationalization of the MITRE ATT&CK Framework within the Security Operations Center. 

Poll: Are Sec Ops Teams using MITRE ATT&CK for security defense planning?

The first question we asked was if organizations were already using the MITRE ATT&CK Framework for their security defense planning. Over 60% are building on it - showcasing a huge adoption within SecOps teams. This is a testament to the fact that those teams are executing cybersecurity strategically and systematically rather than just deploying opportunistic security solutions.

Poll: How are Sec Ops Teams choosing which MITRE ATT&CK Technique to implement for proactive monitoring?

The second question asked was which decision criteria organizations use when selecting techniques for which to implement detections. Over 40% look into the APT Groups which are most relevant for their specific industries and on top of which build their strategy. One-third of poll participants focus on what is easiest to accomplish from an organizational and technical perspective. 

Q&A

Q: Say for example a threat actor identifies themselves as being responsible for a data breach, how easy is it to go back to MITRE ATT&CK and see exactly how they penetrated the network all the way to data exfiltration?
A: Incident response procedures are the processes that go back to identify what happened and where the initial weak points were. Very often in the finding reports it's then mapped to MITRE ATT&CK Tactic and Techniques. We can also see that it's not only the security vendors and incident response providers using these mappings in their threat reports; now most government institutions are using them for communications and addthis to their threat alert warnings.

Q: Is the MITRE ATT&CK Framework used only to mitigate APTs, or also individual attacks?
A: This is a great question – it's also key to understand its limitations. What is your definition of "individual attacks" and how do they differentiate from APTs? If it's "Targeted accounts to your company" these are included in MITRE as the first step is Reconnaissance which you can’t really prevent technically - just limit the surface like being sensitive on job descriptions posted online etc. If you refer to "insider threats" it might start at the collection & data exfiltration phase - however MITRE ATT&CK information comes really from threat reports of actual attacks which have happened. This is also a limitation of it. It's not a risk based approach to "what might happen". Just to be aware.

Q: How do you map to vulnerabilities?
A: Vulnerabilities are exploited by threats. So basically MITRE ATT&CK focuses on threats rather than vulnerabilities. So for example in "Initial Access" are techniques listed for exploiting public-facing applications. Mitigation suggestion - one of many - is "Update Software - M1051".

Q: How can we find out which ATP groups are impacting Charity or Nonprofit organisations?
A: Hi, go to the MITRE ATT&CK Website - Groups and review the APT Groups: https://attack.mitre.org/groups/ - for example Mutang Panda / G0129 lists "nonprofit" and you can deep dive from there.  You can find “Industry” as an option on the Splunk Security Essentials ATT&CK Navigator. By selecting “Nonprofit” you will see there are 4 Threat Groups that have targeted Non-Profits in the past. 

Q: We’re currently using a range of products to cover most entry options, manage engine, EPO with threat detection, windows defender, too many logs and alerts to shifting through presently looking for a better way to monitor and display a more "friendly" interface.
A: Yes agree. So the "source" for mapping or what you see in our demo shortly - does not need to be the "raw" event from the "source system". it can be an aggregated view from McAfee/now Trellix epo/endpoint or others up - it's key to just have from wherever it comes from that visibility. It is similar at every organization but again very different - as the technology stack and what is easiest/most efficient varies. 

Q: Prioritizing the technique based on the threat groups is good but some techniques can contain 7 sub-techniques – does this mean that all of the sub-techniques will have to be covered even if the threat group has never used them?
A: Unfortunately that is a risk decision.... what we can say - don't try to cover everything. A phrase I picked up goes: "Don't plan for a wall, plan for a chessboard" - so plan across all tactics and key techniques. 

Q: Do we have to own Splunk ES in order to use it?
A: Splunk has decoupled Content & Product. Content is open source/freely available. The Security Essentials App is basically our content inventory. The Splunk Research Team content is included or you can also access on git. 

Q: How does this cover zero day attack?
A: Zero-day is often one technique to gain initial access. While you might not be able to spot it immediately through more coverage you can detect quickly the second step like elevating privileges or accessing other accounts.

Q: Which type of license do I need to implement MITRE Framework on Splunk Enterprise Server?
A: The content is free. For operationalization, implementing alert prioritization, getting it in a structured way that does not end in chaos, we strongly recommend Splunk Enterprise Security.

Q: The poll question isn't easy to answer....my response would have been that we're following our risk register. It wouldn’t be accurate to say that we looked at 'industry' as a guideline since we considered various sources of intelligence as well as our own collective experiences.
A: Yes, yes - you're 100% right. MITRE is what happened - not what might happen and is most important to your company. We have also seen that based on their risk assessment security teams have different "standards" of the optimal coverage level. Like a lot of techniques covered for very critical assets/environments and less coverage on not so critical ones.

Q: I think I love Matthias. Can I hire him to be my hype-man?
A: Haha thanks – you win the award for the best question of the day ;-) 

Want to hear more about what good looks like in Security Operations?

Learn how Thales, Shell and other leading Security Operations Teams have modernized their SOC and watch our "5 SOC Stories - Lessons learned from 2021" Webinar on demand here: English | German | French.

Happy Splunking,

Matthias